Lock down systemd service #68

ecksun · 2019-01-08T18:20:22Z

To be on the safe side, restrict what the service can do.

paulfantom · 2019-01-08T18:26:50Z

ecksun · 2019-01-08T18:56:30Z

I added ProtectControlGroups and ProtectKernelModules and changed ProtectSystem=strict.

Do you want me to do the check for an old systemd version also?

paulfantom · 2019-01-08T20:29:57Z

systemd version check is necessary when using ProtectSystem=strict as strict was introduced in systemd 232

ecksun · 2019-01-08T20:50:32Z

Alright, the other Protect directives also require 232 according to the changelog so I included them in the version check as well

tasks/preflight.yml

templates/node_exporter.service.j2

To be on the safe side, restrict what the service can do.

ecksun · 2019-01-09T22:04:18Z

I don't know if you get notifications for pushes, but I think I fixed your comments :)

lock · 2019-03-24T22:55:56Z

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

ecksun force-pushed the master branch 2 times, most recently from bdad604 to 3d518d8 Compare January 8, 2019 18:55

ecksun force-pushed the master branch from 3d518d8 to b13dee1 Compare January 8, 2019 20:49

ecksun force-pushed the master branch from b13dee1 to c9be98c Compare January 8, 2019 20:51

paulfantom reviewed Jan 8, 2019

View reviewed changes

tasks/preflight.yml Outdated Show resolved Hide resolved

paulfantom suggested changes Jan 8, 2019

View reviewed changes

templates/node_exporter.service.j2 Outdated Show resolved Hide resolved

Lock down systemd service

a78a902

To be on the safe side, restrict what the service can do.

ecksun force-pushed the master branch from c9be98c to a78a902 Compare January 8, 2019 22:47

paulfantom merged commit d1824cf into cloudalchemy:master Jan 9, 2019

lock bot locked and limited conversation to collaborators Mar 24, 2019

Provide feedback